sys-boot/shim: Update shim to include signing keys, and build mm.efi

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
2025-08-07 21:16:57 +02:00 · 2023-11-24 04:41:17 +05:30 · 2023-11-24 04:41:17 +05:30 · b42e3ad58b
commit b42e3ad58b
parent 348a26201a
3 changed files with 31 additions and 6 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
@ -0,0 +1,18 @@
+## Keys & Certificates
+
+- PK (Platform Key): The Platform Key is the key to the platform.
+- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
+- DB (Signature Database): The signature database is used to validate signed EFI binaries.
+- Shim Certificates: Our set of certificates
+
+
+## Generation of Keys & Certificates
+
+
+Generate the our shim certificates:
+
+```
+openssl genrsa -out "shim.key" 2048
+openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300
+openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER
+```
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
@ -1,14 +1,15 @@
 # Copyright (c) 2015 CoreOS Inc.
+# Copyright (c) 2024 The Flatcar Maintainers.
 # Distributed under the terms of the GNU General Public License v2

-EAPI=7
+EAPI=8

 DESCRIPTION="Flatcar Secure Boot keys"
 HOMEPAGE=""
 SRC_URI=""
 LICENSE="BSD"
 SLOT="0"
-KEYWORDS="amd64 arm arm64 x86"
+KEYWORDS="amd64 arm64"
 IUSE=""

 S="${WORKDIR}"
@ -24,6 +25,6 @@ src_install() {

 	# shim keys
 	newins "${FILESDIR}/shim.key" shim.key
-  	newins "${FILESDIR}/shim.der" shim.der
-  	newins "${FILESDIR}/shim.pem" shim.pem
+  newins "${FILESDIR}/shim.der" shim.der
+  newins "${FILESDIR}/shim.pem" shim.pem
 }
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@ -26,7 +26,10 @@ RDEPEND=""
 # currently the shim insists on using the bundled copy. This will need
 # to be addressed by patching this check out after making sure that
 # our copy of gnu-efi is as usable as the bundled one.
-DEPEND="dev-libs/openssl"
+DEPEND="
+	dev-libs/openssl
+  	coreos-base/coreos-sb-keys
+"

 src_unpack() {
 	cros-workon_src_unpack
@ -47,6 +50,8 @@ src_compile() {
 	elif use arm64; then
 		emake_args+=( ARCH=aarch64 )
 	fi
+  	emake_args+=( ENABLE_SBSIGN=1 )
+  	emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
 	emake "${emake_args[@]}" || die
 }

@ -60,4 +65,5 @@ src_install() {
 	fi
 	insinto /usr/lib/shim
 	newins "shim${suffix}.efi" 'shim.efi'
-}
+  	newins "mm${suffix}.efi" "mm${suffix}.efi"
+}